summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-07-22nspawn: don't skip cleanup on locking errorZbigniew Jędrzejewski-Szmek
2016-07-22import: don't log "fake" errno valuesZbigniew Jędrzejewski-Szmek
2016-07-22Use "return log_error_errno" in more places"Zbigniew Jędrzejewski-Szmek
2016-07-22Merge pull request #3777 from poettering/id128-reworkZbigniew Jędrzejewski-Szmek
uuid/id128 code rework
2016-07-22coredump: turn off coredump collection entirely after journald or PID 1 crashedLennart Poettering
Safe is safe, let's turn off the whole logic if we can, after all it is unlikely we'll be able to process further crashes in a reasonable way.
2016-07-22coredump: make sure to handle crashes of PID 1 and journald specialLennart Poettering
Fixes: #3285
2016-07-22Merge pull request #3753 from poettering/tasks-max-scaleLennart Poettering
Add support for relative TasksMax= specifications, and bump default for services
2016-07-22coredump: truncate overly long coredump metadata fields (#3780)Lennart Poettering
Fixes: #3573 Replaces: #3588
2016-07-22systemctl: never check inhibitors if -H or -M are used (#3781)Lennart Poettering
Don't check inhibitors when operating remotely. The interactivity inhibitors imply can#t be provided anyway, and the current code checks for local sessions directly, via various sd_session_xyz() APIs, hence bypass it entirely if we operate on remote systems. Fixes: #3476
2016-07-22cgroup: whitelist inaccessible devices for "auto" and "closed" DevicePolicy.Alessandro Puccetti
https://github.com/systemd/systemd/pull/3685 introduced /run/systemd/inaccessible/{chr,blk} to map inacessible devices, this patch allows systemd running inside a nspawn container to create /run/systemd/inaccessible/{chr,blk}.
2016-07-22nspawn: set DevicesPolicy closed and clean up duplicated devicesAlessandro Puccetti
2016-07-22namespace: ensure to return a valid inaccessible nodes (#3778)Alessandro Puccetti
Because /run/systemd/inaccessible/{chr,blk} are devices with major=0 and minor=0 it might be possible that these devices cannot be created so we use /run/systemd/inaccessible/sock instead to map them.
2016-07-22nss: add new "nss-systemd" NSS module for mapping dynamic usersLennart Poettering
With this NSS module all dynamic service users will be resolvable via NSS like any real user.
2016-07-22core: enforce user/group name validity also when creating transient unitsLennart Poettering
2016-07-22core: add a concept of "dynamic" user ids, that are allocated as long as a ↵Lennart Poettering
service is running This adds a new boolean setting DynamicUser= to service files. If set, a new user will be allocated dynamically when the unit is started, and released when it is stopped. The user ID is allocated from the range 61184..65519. The user will not be added to /etc/passwd (but an NSS module to be added later should make it show up in getent passwd). For now, care should be taken that the service writes no files to disk, since this might result in files owned by UIDs that might get assigned dynamically to a different service later on. Later patches will tighten sandboxing in order to ensure that this cannot happen, except for a few selected directories. A simple way to test this is: systemd-run -p DynamicUser=1 /bin/sleep 99999
2016-07-22core: be stricter when parsing User=/Group= fieldsLennart Poettering
Let's verify the validity of the syntax of the user/group names set.
2016-07-22sysusers: move various user credential validity checks to src/basic/Lennart Poettering
This way we can reuse them for validating User=/Group= settings in unit files (to be added in a later commit). Also, add some tests for them.
2016-07-22core: check for overflow when handling scaled MemoryLimit= settingsLennart Poettering
Just in case...
2016-07-22macros.systemd.in: add %systemd_ordering (#3776)Harald Hoyer
To remove the hard dependency on systemd, for packages, which function without a running systemd the %systemd_ordering macro can be used to ensure ordering in the rpm transaction. %systemd_ordering makes sure, the systemd rpm is installed prior to the package, so the %pre/%post scripts can execute the systemd parts. Installing systemd afterwards though, does not result in the same outcome.
2016-07-22core: change TasksMax= default for system services to 15%Lennart Poettering
As it turns out 512 is max number of tasks per service is hit by too many applications, hence let's bump it a bit, and make it relative to the system's maximum number of PIDs. With this change the new default is 15%. At the kernel's default pids_max value of 32768 this translates to 4915. At machined's default TasksMax= setting of 16384 this translates to 2457. Why 15%? Because it sounds like a round number and is close enough to 4096 which I was going for, i.e. an eight-fold increase over the old 512 Summary: | on the host | in a container old default | 512 | 512 new default | 4915 | 2457
2016-07-22logind: change TasksMax= value for user logins to 33%Lennart Poettering
Let's change from a fixed value of 12288 tasks per user to a relative value of 33%, which with the kernel's default of 32768 translates to 10813. This is a slight decrease of the limit, for no other reason than "33%" sounding like a nice round number that is close enough to 12288 (which would translate to 37.5%). (Well, it also has the nice effect of still leaving a bit of room in the PID space if there are 3 cooperating evil users that try to consume all PIDs... Also, I like my bikesheds blue). Since the new value is taken relative, and machined's TasksMax= setting defaults to 16384, 33% inside of containers is usually equivalent to 5406, which should still be ample space. To summarize: | on the host | in the container old default | 12288 | 12288 new default | 10813 | 5406
2016-07-22main: simplify things a bit by moving container check into fixup_environment()Lennart Poettering
2016-07-22core: rename MemoryLimitByPhysicalMemory transient property to MemoryLimitScaleLennart Poettering
That way, we can neatly keep this in line with the new TasksMaxScale= option. Note that we didn't release a version with MemoryLimitByPhysicalMemory= yet, hence this change should be unproblematic without breaking API.
2016-07-22core: support percentage specifications on TasksMax=Lennart Poettering
This adds support for a TasksMax=40% syntax for specifying values relative to the system's configured maximum number of processes. This is useful in order to neatly subdivide the available room for tasks within containers.
2016-07-22machine-id-setup: add new --print switchLennart Poettering
If specified we'll simply output the used machine ID.
2016-07-22core: rework machine-id-setup.c to use the calls from id128-util.[ch]Lennart Poettering
This allows us to delete quite a bit of code and make the whole thing a lot shorter.
2016-07-22sd-id128: handle NULL return parameter in sd_id128_from_string() nicerLennart Poettering
If the return parameter is NULL, simply validate the string, and return no error.
2016-07-22main: make sure set_machine_id() doesn't clobber arg_machine_id on failureLennart Poettering
2016-07-22machine-id-setup: port machine_id_commit() to new id128-util.c APIsLennart Poettering
2016-07-22nspawn: rework /etc/machine-id handlingLennart Poettering
With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-22systemctl: fix format string for uint64_t fieldLennart Poettering
2016-07-22systemctl: fix output alignment in "systemctl status"Lennart Poettering
If we show both a control and a main PID for a service fix this line in the output of "systemctl status": Main PID: 19670 (sleep); : 19671 (sleep) to become this: Main PID: 19670 (sleep); Control PID: 19671 (sleep)
2016-07-22nspawn: rework machine/boot ID handling code to use new calls from ↵Lennart Poettering
id128-util.[ch]
2016-07-22sd-id128: split UUID file read/write code into new id128-util.[ch]Lennart Poettering
We currently have code to read and write files containing UUIDs at various places. Unify this in id128-util.[ch], and move some other stuff there too. The new files are located in src/libsystemd/sd-id128/ (instead of src/shared/), because they are actually the backend of sd_id128_get_machine() and sd_id128_get_boot(). In follow-up patches we can use this reduce the code in nspawn and machine-id-setup by adopted the common implementation.
2016-07-22tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriateLennart Poettering
It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-22Merge pull request #3762 from poettering/sigkill-logMartin Pitt
log about all processes we forcibly kill
2016-07-22Merge pull request #3764 from poettering/assorted-stuff-2Martin Pitt
Assorted fixes
2016-07-21nspawn: enable major=0/minor=0 devices inside the container (#3773)Alessandro Puccetti
https://github.com/systemd/systemd/pull/3685 introduced /run/systemd/inaccessible/{chr,blk} to map inacessible devices, this patch allows systemd running inside a nspawn container to create /run/systemd/inaccessible/{chr,blk}.
2016-07-21missing_syscall: add __NR_copy_file_range for powerpc architecture (#3772)Alessio Igor Bogani
2016-07-21gpt-generator: relax EFI check a bitLennart Poettering
Previously, we'd not mount the ESP except on EFI boots, and only when the ESP used for booting matches the ESP we found. With this change on non-EFI boots we'll mount a discovered ESP anyway, and on EFI boots we'll only mount it if it matches the ESP we booted from.
2016-07-21kernel-install: when searching for location to place kernel consider /efiLennart Poettering
With this change kernel-install will now first look for an existing kernel installation in /efi, /boot and /boot/efi. If none is found, /efi is used if it is a mount point, otherwise /boot/efi if it is one. If nothing of that worked /boot is used without further checking. This means /boot should be the default unless something was installed before or something else was explicitly mounted.
2016-07-21bootctl: modernize install_loader_config()Lennart Poettering
let's the proper APIs to read the machine ID, and properly check for all errors.
2016-07-21bootctl: various coding style updatesLennart Poettering
2016-07-21bootctl: clean up get_file_version()Lennart Poettering
Make sure that we always initialize the return parameter on success, and that all errors result in an error message, not just some.
2016-07-21bootctl: use F_TYPE_EQUAL() to compare statfs' .f_type fieldLennart Poettering
After all, the field is kinda borked.
2016-07-21bootctl: move toupper() implementation to string-util.hLennart Poettering
We already have tolower() calls there, hence let's unify this at one place. Also, update the code to only use ASCII operations, so that we don't end up being locale dependant.
2016-07-21bootctl: make use of STRV_FOREACH() where we canLennart Poettering
2016-07-21bootctl: rework to use common verbs parsing, and add searching of ESP pathLennart Poettering
This rearranges bootctl a bit, so that it uses the usual verbs parsing routines, and automatically searches the ESP in /boot, /efi or /boot/efi, thus increasing compatibility with mainstream distros that insist on /boot/efi. This also adds minimal support for running bootctl in a container environment: when run inside a container verification of the ESP via raw block device access, trusting the container manager to mount the ESP correctly. Moreover, EFI variables are not accessed when running in the container.
2016-07-21bootctl: fix error message checkLennart Poettering
2016-07-21bootctl: minor coding style improvementsLennart Poettering